Apple has issued a new round of Rapid Security Response (RSR) updates to address a Zero-Day bug exploited in attacks and impacting fully-patched iPhones, Macs, and iPads.
"Apple is aware of a report that this issue may have been actively exploited," the company says in iOS and macOS advisories when describing the CVE-2023-37450 vulnerability reported by an anonymous security researcher.
RSR patches, according to an Apple article, have been introduced as compact updates designed to address security concerns on the iPhone, iPad, and Mac platforms, and they serve the purpose of resolving security issues that arise between major software updates.
"By default, your device automatically applies Rapid Security Responses. If necessary, you'll be prompted to restart your device. To check your device settings:
- iPhone or iPad: Go to Settings > General > Software Update > Automatic Updates, then make sure that 'Security Responses & System Files' is turned on.
- Mac: Choose Apple menu > System Settings. Click General in the sidebar, then click Software Update on the right. Click the Show Detail button next to Automatic Updates, then make sure that 'Install Security Responses and system files' is turned on.
When a Rapid Security Response has been applied, a letter appears after the software version number, as in this example: macOS 13.3.1 (a)."
Here are comments from cybersecurity vendor experts.
Georgia Weidman, Security Architect at Zimperium:
"The very code re-use that has helped make the internet truly ubiquitous and has allowed Apple to provide such diverse offerings unfortunately comes with the associated cost that bad actors can increasingly use the same exploit across entire ecosystems of products. WebKit is foundational to essentially every product in the Apple ecosystem that can render web content and that ranges from the operating systems to Apple’s products to third-party developer products. This is an instance of 'Hack once, attack everywhere,' so Apple's responsiveness here is to be commended and is welcomed by security professionals.
Though vendor supplied patches should always be applied as swiftly as possible, it is especially important to patch all devices that are subject to vulnerabilities that are known to be actively exploited in the wild, such as the issues Apple is patching with this latest security release. With even nation state adversaries, purportedly even the United States intelligence agencies, hoarding Zero-Day, no-click attack vectors, Apple, even though they're the largest market capitalized company on the planet, is always going to be playing defense.
This demonstrates more than ever the need for users to have access to security tools that allow them to move beyond just detecting known threats and instead allow them to automatically detect and defeat the behaviors most commonly used by malware. Exact attack code and static detection signatures change with each new vulnerability that is discovered. However, key elements of the attack chain remain the same even for a never before seen, Zero-Day attack such as turning off code execution protections or disabling operating system security features."
John Gallagher, Vice President of Viakoo Labs at Viakoo:
"Kudos to Apple for taking action on the growing number of Zero-Day exploits through their Rapid Security Response capability. At least for now, this gives users a clear indication that the patch is urgent and different from a standard update for functionality and minor bug fixes.
The danger is that Rapid Security Responses become too frequent and therefore become 'background noise' to users as current updates might be.
This highlights that every device type has different mechanisms and timing for closing the window of vulnerability for users. We've seen incredibly high severity vulnerabilities take months to patch (e.g. Microsoft Exchange Server vulnerabilities) even with Microsoft's advanced capabilities for patching, or IoT/OT devices which can be exploitable for several months because many organizations have not yet deployed automated patching/updating solutions at scale. Apple's actions help to reduce the time threat actors can leverage this exploit to (hopefully) just days."
Mike Parkin, Senior Technical Engineer at Vulcan Cyber:
"Apple didn't give any explanation on the vulnerability beyond it leading to arbitrary code execution, and, more important, that it may currently be exploited in the wild. As with any vulnerability that has a live exploit, the advice is to patch now rather than later and, even without knowing the details, the advice applies here."
